networking – Ubuntu transmits TTL 0 multicast packets

IP packets with TTL 0 shall not leave host.

But when I start application which multicasts UDP packets with TTL 0, I see packets with TTL 0 leaving host for few seconds, and coming to normal behavior of TTL 0. This most likely happens after reboot and first start of application.

I confirmed packets with TTL 0 leaving host with tcpdump:

05:31:39.048304 IP (tos 0x0, id 14487, offset 0, flags (DF), proto UDP (17), length 1344)
    192.168.1.200.46968 > 239.0.0.1.1234: UDP, length 1316
05:31:39.049594 IP (tos 0x0, id 14488, offset 0, flags (DF), proto UDP (17), length 1344)
    192.168.1.200.46968 > 239.0.0.1.1234: UDP, length 1316
05:31:39.051601 IP (tos 0x0, id 14489, offset 0, flags (DF), proto UDP (17), length 1344)
    192.168.1.200.46968 > 239.0.0.1.1234: UDP, length 1316
05:31:39.053584 IP (tos 0x0, id 14490, offset 0, flags (DF), proto UDP (17), length 1344)
    192.168.1.200.46968 > 239.0.0.1.1234: UDP, length 1316

As we can see ttl is not displayed which means TTL 0, as confirmed from tcpdump man page: https://www.tcpdump.org/manpages/tcpdump.1.html (search ttl, it clearly indicated: ttl is the time-to-live; it is not reported if it is zero).

There are no any iptables rules running.

uname -a: Linux mydevice 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

lsb_release -a:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic

What can be the cause for this behavior, and how can I resolve this?

Unable to create QEMU socket network in Windows host using multicast fails with unknown error

I am trying to create a simulated VLAN using socket networking, and the only way to connect multiple networks in QEMU using socket networking is to 39; use multicast mcast option of socket network backend.

However, when I try to use the following arguments in QEMU to create a multicast socket network:

-device e1000,netdev=sock-0 -netdev id=sock-0,mcast=230.0.0.1:1234

it fails with:

can't bind ip=230.0.0.1 to socket: Unknown error in my Windows host.

Is this a QEMU bug or is it missing a prerequisite before running the QEMU command (for example, waiting for a multicast listener to run, etc. .)?

By the way, I am using Windows 10 and I am running a cross compiled QEMU 4.2.0. I printed the error just before the link failed net/socket.c QEMU source code on line 256, and WSAGetLastError Return WSAEADDRNOTAVAIL.

amazon web services – Why don't GCP, AWS, or Azure support IGMP multicast / broadcast?

It is well known that GCP / AWS / Azure does not support multicasting or IGMP broadcasting. Some claim that it is because of security concerns, but do not mention what those concerns are.

Is there a reason why these cloud providers don't support such long-standing and well-specified routing paradigms?

nat – Use interface IP address to respond to incoming multicast packet

I have a multicast routing configuration with forwarding on the receiving side, as follows (all Linux):

+----------------+            +----------------+                  +-------------+
| openvpn-server |tun0    tun0| openvpn-client |  foward port 53  | application |
|    10.8.0.1    |============|    10.8.0.2    |------------------| 172.16.3.3  |
+----------------+            +----------------+                  +-------------+
                               joined 239.1.2.3
                               multicast group

In this configuration, the openvpn-server side sends UDP packets to multicast group 239.1.2.3 on port 53. Specifically, the packets are DNS NOTIFY messages, but I don't think that is relevant here. (There are several cases of openvpn-client that's why multicasting is used.)

openvpn-client then forwards traffic to application. This host acknowledges receipt of the packet by responding with another UDP packet.

The response packet is returned to openvpn-client or Linux converts source IP to recipient of original packet (assuming that he will be the sender of the response), i.e. 239.1.2.3. This is the problem: Due to this source IP address, the packet is not forwarded to the original sender of the first packet and the sender thinks that the packet was not forwarded. This results in several unnecessary attempts and a lot of logging.

the question is it is possible to educate openvpn-client at rewrite the source address of the response to 10.8.0.2 instead of. I believe that if this were the case, the response package would be delivered. Is it possible?

I have observed that when I ping from 10.8.0.1 to 239.1.2.3, the echo packet comes from 10.8.0.2 (and not from 239.1.2.3). (Note that the ping case does not involve port forwarding.) How can I get the same behavior for my UDP case?

routing – Configure a multicast route on an intermediate hop

I have a host with two Docker containers (with NET_ADMIN aptitude):

  • backend with an interface eth0 (172.16.7.3)
  • openvpn-server with interfaces eth0 (172.16.7.2) and tun0 (10.8.0.1), running an OpenVPN server (tun mode)

There is an OpenVPN client on another machine openvpn-client with interface tun0 (10.8.0.2). The VPN works.

Additional route configuration:

  • backend has routes 10.8.0.0/24 via 172.16.7.2 and 224.0.0.0/4 via eth0.
  • openvpn-server has routes 10.8.0.0/24 dev tun0 and 224.0.0.0/4 dev tun0.

backend can ping successfully openvpn-client (routed by openvpn-server): ping 10.8.0.2 works like a charm.

observations:

When i run ping -t3 225.1.2.3 sure openvpn-server, these go through the VPN tunnel, and I can see the ICMP packets arriving on openvpn-client (with tcpdump -i tun0 net 224.0.0.0/4 sure openvpn-client).

Also, when I run ping -t3 225.1.2.3 sure backend, those who go out through this host eth0 and enter openvpn-serverc & # 39; eth0. I can see them on openvpn-server using tcpdump -i eth0 net 224.0.0.0/4.

Problem:

I wish I could run ping -t3 225.1.2.3 sure backend and have the pings sent to openvpn-client, as if 10.8.0.2 had been nuts. (The end goal is to multicast UDP packets from backend to all VPN clients.)

My attempt:

smcroute -d -n -j eth0 225.1.2.3 -a eth0 172.16.7.3 225.1.2.3 tun0

I thought it would establish the multicast route, but in reality it doesn't matter. I can't see outgoing ICMP packets on openvpn-serverc & # 39; tun0. – What's wrong?


I also tried to set up pimd on any two pairs of the three hosts, as well as on the three. As a result, I could make a iperf reference (as suggested here) between backend and openvpn-server, and also between openvpn-server and openvpn-client, but not between backend and openvpn-client. It seems that the transfer / routing through the jump in the middle does not work. (I had set the TTL to 5, so that shouldn't be the problem.)

I am happy to provide more details if necessary (such as ip route list exit), but did not want to clutter the issue unnecessarily.

c – What method do you suggest for reading a multicast stream under Linux?

I wrote a program in Linux using C / C ++ which reads multicast packets and tries to figure out whether a specific event has occurred or not as quickly as possible. Latency is the key point here.

In the protocol, the first two bytes represent the type of message.
In my current implementation, I have read the first two bytes and I decide how many bytes to read for the payload depending on the type of message. Namely, I execute 2 read operations for 1 packet. One of the read operations concerns the length of the packet and the other the payload. So there are 2 I / O operations.

Alternatively, I could do this, I read as much as I can, check the first 2 bytes, let's say it's N, go for N bytes and form package1 and package2. If there are bytes remaining after packets 1 and 2 are formed, read more bytes and process the byte buffer again as above. In this method, it is necessary to iterate over the byte buffer.

Which is faster theoretically? I know I need to implement and measure both, but I just wanted to hear your suggestions.

Thank you

multicast – IGMP proxy, no incoming traffic

After asking Network Engineering this question, I was told that the site is
on corporate environments, while my configuration is a residential network. Therefore, I will try my luck here.

I have successfully connected my Cisco 886VA to my local provider via a VDSL interface.
The provider's TV solution is based on AppleTV and multicasting.

Vlan1 is my internal LAN.
Ethernet0 is the link to the ISP, while Dialer1 is used as the IP interface.

Here is my configuration so far – reduced to what I think is sufficient (note that there is NAT, in case this is important):

ip multicast-routing
!
interface Ethernet0
 description PPPoE
 no ip address
 ip nat outside
 no ip virtual-reassembly in
 no ip route-cache
 pppoe enable group global
 pppoe-client dial-pool-number 1
!

interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip igmp proxy-service
!
interface Dialer1
 ip address negotiated
 no ip redirects
 ip flow ingress
 ip pim sparse-dense-mode
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip igmp mroute-proxy Vlan1
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname SOMEHOSTNAME
 ppp chap password 7 SOMEPASSWORD
 ppp ipcp dns accept
 ppp ipcp route default
 no cdp enable
!
ip nat source static tcp 192.168.0.30 80 interface Dialer1 80
ip nat inside source list LAN_ACL interface Dialer1 overload
!
ip access-list extended LAN_ACL
 permit ip 192.168.0.0 0.0.0.255 any
!

After a long troubleshooting session and a lot of research on Google, here is what I have found so far.
In addition, there are two Cisco SG300 (Small Business) switches between my endpoint and the router. IGMP Snooping is enabled for both.

Visit one of the channels, for example udp://@239.77.0.77:5000 on my PC clearly causes IGMP joins and sheets to be displayed on the router. the debug ip igmp shows:

*Dec 31 15:04:12.490: IGMP(0): Send v2 general Query on Vlan1
*Dec 31 15:04:12.490: IGMP(0): Set report delay time to 7.9 seconds for 224.0.1.40 on Vlan1
*Dec 31 15:04:12.490: IGMP(0): Sending Proxy Report for 239.255.255.250 to Vlan1
*Dec 31 15:04:12.490: IGMP(0): Received v2 Report on Vlan1 from 192.168.0.1 for 239.255.255.250
*Dec 31 15:04:12.490: IGMP(0): Received Group record for group 239.255.255.250, mode 2 from 192.168.0.1 for 0 sources
*Dec 31 15:04:12.490: IGMP(0): Updating EXCLUDE group timer for 239.255.255.250
*Dec 31 15:04:12.490: IGMP(0): MRT Add/Update Vlan1 for (*,239.255.255.250) by 0
*Dec 31 15:03:20.894: IGMP(0): Received v2 Report on Vlan1 from 192.168.0.33 for 224.0.0.252
*Dec 31 15:03:20.894: IGMP(0): Report has illegal group address 224.0.0.252
*Dec 31 15:03:21.010: IGMP(0): Received v2 Report on Vlan1 from 192.168.0.30 for 224.0.0.251
*Dec 31 15:03:21.010: IGMP(0): Report has illegal group address 224.0.0.251
*Dec 31 15:03:21.010: IGMP(0): Received v2 Report on Vlan1 from 192.168.0.30 for 224.0.0.251
*Dec 31 15:03:21.010: IGMP(0): Report has illegal group address 224.0.0.251
*Dec 31 15:03:55.470: IGMP(0): Received v2 Report on Vlan1 from 192.168.0.33 for 239.77.0.77
*Dec 31 15:03:55.470: IGMP(0): Received Group record for group 239.77.0.77, mode 2 from 192.168.0.33 for 0 sources
*Dec 31 15:03:55.470: IGMP(0): Updating EXCLUDE group timer for 239.77.0.77
*Dec 31 15:03:55.470: IGMP(0): MRT Add/Update Vlan1 for (*,239.77.0.77) by 0

I just thought that no package seems to be coming back from the ISP:

Router#show ip multicast interface dial1
Dialer1 is up, line protocol is up
  Internet address is 82.xxx.xxx.xxx/32
  Multicast routing: enabled
  Multicast switching: fast
  Multicast packets in/out: 0/252
  Multicast TTL threshold: 0
  Multicast Tagswitching: disabled
Router#show ip multicast interface vl1
Vlan1 is up, line protocol is up
  Internet address is 192.168.0.1/24
  Multicast routing: enabled
  Multicast switching: fast
  Multicast packets in/out: 121482/0
  Multicast TTL threshold: 0
  Multicast Tagswitching: disabled
Router#

I'm at the CCNA level, but to be honest, I've never really touched multicast (and mrouting). I don't know where to continue my troubleshooting from now on.

Provider provides configuration examples for other router manufacturers (see "TV7" section, but they couldn't help me with Cisco. I have reviewed MikroTik configurations (instructions are in German, but the screenshots on page 4 should suffice), where it sounds as simple as defining one interface upstream and the other downstream.

5th dnd – How can I use multicast so that a fighter can launch True Resurrection and use the rage and unarmoured defense techniques of a barbarian?

When multiclassing, you can not choose specific features of different classes and combine them – you choose levels in these classes. For example, a level 4 character can have 2 levels in the fighter class and 2 levels in the wizard class – they will get all the features of a level 2 wizard and all the characteristics of a level 2 fighter It's a little more complicated when several classes of launchers are involved and there are certain requirements in terms of skill points; see page 163 of the player's manual for more details.

In other words, to get all the features you want, you need to determine which classes have access to them, at what level and choose those levels. The defense and helpless rage of the barbarians are level 1, so it's easy. On the other hand, the true resurrection is a level 9 spell that is available at level 17 for clerics and druids. This leaves room for 2 levels of combatant, assuming your character is at level 20.

Note however that at this point, the character would be more of a cleric / druid, with a few levels in barbarian / fighter. In addition, using barbaric rage, you will not be able to cast spells, so the synergy is not very good.

A possible low-level alternative would be to choose a cleric or druid level that will allow you to: attempt to launch True Resurrection via a scroll. This would be a DC19 check, based on your spell casting ability (WIS) and if it fails, the parchment is destroyed. To avoid verification, you can choose 13 levels of thief thief that allow you to use a magic device.

linux – How can I see multicast traffic on the same host?

On Fedora 30, I try to see the multicast packets in another process on the same host. Using netstat, iperf and tcpdump, I checked that the group is attached and that the packets are sent to the multicast address, but the iperf server mode never gets anything.

When I try this on another machine (CentOS 7) on a different network (which I have not configured), I see the packages quit, but I do not see the packages coming back, but the iperf server prints the received packets. I imagine that it is a core business, but how to activate it?

Here is a part of the terminal session:

 jnordwick@jnkde ~ iperf -s -u -B 226.94.1.1 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 226.94.1.1
Joining multicast group  226.94.1.1
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------

and the other terminal

 jnordwick@jnkde ~ netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      all-systems.mcast.net
eno1            1      226.94.1.1

sending packages

 jnordwick@jnkde ~ iperf -c 226.94.1.1 -u -T 32 -t 3 -i 1
------------------------------------------------------------
Client connecting to 226.94.1.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
Setting multicast TTL to 32
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
(  3) local 192.168.2.155 port 47755 connected with 226.94.1.1 port 5001
( ID) Interval       Transfer     Bandwidth
(  3)  0.0- 1.0 sec   131 KBytes  1.07 Mbits/sec
(  3)  1.0- 2.0 sec   128 KBytes  1.05 Mbits/sec
(  3)  0.0- 3.0 sec   385 KBytes  1.05 Mbits/sec
(  3) Sent 268 datagrams

Nothing appears in the server-side performance, but if I run exactly the same command on another network, I can see:

(jnordwick@network2 ~)$ iperf -s -u -B 226.94.1.1 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 226.94.1.1
Joining multicast group  226.94.1.1
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
(  3) local 226.94.1.1 port 5001 connected with 204.2.57.7 port 58971
( ID) Interval       Transfer     Bandwidth        Jitter   Lost/Total Datagrams
(  3)  0.0- 1.0 sec   129 KBytes  1.06 Mbits/sec   0.000 ms    0/   90 (0%)
(  3)  1.0- 2.0 sec   128 KBytes  1.05 Mbits/sec   0.001 ms    0/   89 (0%)
(  3)  2.0- 3.0 sec   128 KBytes  1.05 Mbits/sec   0.001 ms    0/   89 (0%)
(  3)  0.0- 3.0 sec   385 KBytes  1.05 Mbits/sec   0.001 ms    0/  268 (0%)

tcpdump confirms the igmp joins and the packets are sent. I guess this is about the kernel because I do not think switches usually return multicast / broadcast traffic to the sending host.

dnd 3.5e – Can a specialist assistant multi-cast to cast spells in his forbidden schools?

The answer to your question is yes. In fact, multiclassing, once done correctly, can give a specialist assistant much more flexibility than a simple assistant (specialist or not) with a few small compromises. One of my favorite strategies that I often quote as a great example (which many DM have found legal) is a Beguiler / Conjurer / Ultimate Magus / Master Specialist combination.

The idea is to prohibit enchantment and illusion. Although the illusion has many good defense spells, Beguiler 's spell list contains virtually all the best spells of illusion and enchantment that make the prohibition of these two schools relatively easy. The Ultimate Magus part of the combo allows you to reinforce SKL and ECL for your two arcane classes, as well as to use a persistent spell more often without increasing the spell level. In addition, Wizard and Beguiler are extremely well networked because they share the same main capacity (intelligence). Finally, the stupid amount of Beguiler's skill points (though still not as high as that of a thief) and the inherent trapping ability will really help you to be more autonomous. If you wish to follow this path, I recommend you take your first level as Beguiler, the next four levels as a Joker, 6-15 levels as Ultimate Magus, and the rest of your levels as Conjurer or Master. specialist. If you execute it correctly and you realize the magician's feat performed for Beguiler and Wizard at the appropriate times, you will end up with a character with the spells of a Level 17 Wizard (who you are). allows to launch up to a level). 9 spells a day) with a caster level of 24 and the known spells of a level 10 beggar (which gives you access to level 5 beggar spells) with a caster level of 18.

Some might say that the actual loss of a few wizard levels is simply a too big sacrifice, but I think as long as you are able to cast 9th level wizard spells, the addition of the use persistent and essentially free spells, as well as many super useful utility spells that do not need to be memorized to use far outweigh the ability to cast three other level spells 9 a day. As always, use your own judgment. Another variation of this strategy is to use the Sorcerer class as a base and combine it with Knight of the Weave. To qualify for Ultimate Magus, you must take the feat that allows you to prepare your spontaneous spells in advance, but less DM allow, because you end up with a wizard who has a complete progression of spells, a small number of divine spells useful, and no side. For most DMs to integrate your campaign into the campaign, you often have to show that you give up something in exchange for something else. In this case, you swap a few spells a day from your higher level spells against being able to specialize in a particular magic school for its benefits, while being able to cast some of the best spells belonging to your forbidden schools.